Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 2 Oct 2014 02:00:22 +0000 (UTC)
From:      "Andrey V. Elsukov" <ae@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org
Subject:   svn commit: r272394 - head/sys/netipsec
Message-ID:  <201410020200.s9220M4E055012@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help 
Author: ae
Date: Thu Oct  2 02:00:21 2014
New Revision: 272394
URL: https://svnweb.freebsd.org/changeset/base/272394

Log:
  Do not strip outer header when operating in transport mode.
  Instead requeue mbuf back to IPv4 protocol handler. If there is one extra IP-IP
  encapsulation, it will be handled with tunneling interface. And thus proper
  interface will be exposed into mbuf's rcvif. Also, tcpdump that listens on tunneling
  interface will see packets in both directions.
  
  Sponsored by:	Yandex LLC

Modified:
  head/sys/netipsec/ipsec_input.c

Modified: head/sys/netipsec/ipsec_input.c
==============================================================================
--- head/sys/netipsec/ipsec_input.c	Thu Oct  2 01:16:30 2014	(r272393)
+++ head/sys/netipsec/ipsec_input.c	Thu Oct  2 02:00:21 2014	(r272394)
@@ -391,7 +391,8 @@ ipsec4_common_input_cb(struct mbuf *m, s
 #endif /* DEV_ENC */
 
 	/* IP-in-IP encapsulation */
-	if (prot == IPPROTO_IPIP) {
+	if (prot == IPPROTO_IPIP &&
+	    saidx->mode != IPSEC_MODE_TRANSPORT) {
 
 		if (m->m_pkthdr.len - skip < sizeof(struct ip)) {
 			IPSEC_ISTAT(sproto, hdrops);
@@ -431,7 +432,8 @@ ipsec4_common_input_cb(struct mbuf *m, s
 	}
 #ifdef INET6
 	/* IPv6-in-IP encapsulation. */
-	if (prot == IPPROTO_IPV6) {
+	if (prot == IPPROTO_IPV6 &&
+	    saidx->mode != IPSEC_MODE_TRANSPORT) {
 
 		if (m->m_pkthdr.len - skip < sizeof(struct ip6_hdr)) {
 			IPSEC_ISTAT(sproto, hdrops);
@@ -502,6 +504,12 @@ ipsec4_common_input_cb(struct mbuf *m, s
 
 	key_sa_recordxfer(sav, m);		/* record data transfer */
 
+	/*
+	 * In transport mode requeue decrypted mbuf back to IPv4 protocol
+	 * handler. This is necessary to correctly expose rcvif.
+	 */
+	if (saidx->mode == IPSEC_MODE_TRANSPORT)
+		prot = IPPROTO_IPIP;
 #ifdef DEV_ENC
 	/*
 	 * Pass the mbuf to enc0 for bpf and pfil.

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201410020200.s9220M4E055012>